Characterizing and Detecting Virus Replication

Presented By: Jithu Joseph S7 CSE EPAIECS020

07/30/11

CONTENTS
1.Introduction 2.Proposed System 3.Replication detection models 4.Tests and Results 5.Discussions 6.conclusion 7.Reference

INTRODUCTION
VIRUS
What is a virus How it is hazardous

EXISTING SYSTEM
Signature Based Method Limitations

07/30/11

PROPOSED SYSTEM

Behaviour Oriented detection Replication as the basic character

Characterizing Virus Replication

Showing that a virus can be detected based on replication

07/30/11

CHARACTERIZING REPLICATION
What is replication How characterization is done

-open,read,write,search and close

-transition and replication states

The characterization is formally done with a finite state automata(FSA)

FSA E is a 5-tuple(,Q,s,f,) where: is the alphabet of E. Elements of are specific operatons p belonging to the replication set P Q is the finite setof replication states {o,r,w,s,c} s Q is the start state of E F Q is the final state of E : Q Q
07/30/11

REPLICATION DETECTION MODELS

Operation Sequencing Detection Model -searches for an encoded string

Replication State frequency Model

-uses the percentage of replication states
occurring

07/30/11

Operation Sequence Detection Model

Searches for an encoded string Could be ORSWWRFC
Replication State Operation Name

opened read

openfilex readfilex setfilepointer

written
Fig. Complete Replication Sequence searched

copytofile createfilenew writefilex

finddir getfileattrib

closed
07/30/11

closefile

Implemented in 4 Steps
1.Build a Training Set - in sample size for each

2.Record the Complete Operation Sequence of each

- choice desired level of granularity

- sequence is encoded ,converted to

sring and recorded
07/30/11

3.Extract Operation Sequence - create all subsequences - attempt to match in other training set - If match is made ,then record

07/30/11

4.Match operation subsequence in a process to detect Virus Replication - set made in training session is used in detection

- operation sequence matching

- flagged if match found

07/30/11

Replication State Frequency Model

Based on high frequency of execution of replication sequence Uses percentage of replication state occurring

07/30/11

Implemented in 3 Steps
1. Build a training set of random virus sample 2. Calculate percentage occurring for

each replication state

- Counter TSC and To,Tr,Tw,Ts and Tc

3. Match occurrence percentage in a

Process
- occurrence percentage in training set is compared with that in process

07/30/11

TESTS AND RESULTS

1.Operation sequence testing

2.Replication state frequency testing

DISCUSSIONS
Many viruses can be detected based on the virus replication of small number of known viruses
virus containing multiple sequences
Virus Name Number of Detected Subsequence Viruses s 11 7 130 96

Bagle.a Eyeveg.m

Plexus.a

62

CONCLUSION
Presented a characterization of virus replication with two detection models
1.Opration Sequence Model
2.Replication Frequency Model

Detecting virus replication is possible for both detected and undetected viruses based on characterization of replication

07/30/11

17

Reference
1. A.Gostev, Kaspersky security bulletin 2006: Malware evolution, viruslist.com

2. B. Livingston, How long must you wait for an

anti-virus fix? Datamation,February 2004, www.itmanagement.earthweb.com

3. T.Bradley, The new virus fighters, Datamation,

January 2006, www.pcworld.com

4. www.cnetNews.com
07/30/11

07/30/11

19

Q??????

07/30/11